a25335e1fa
Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here.
218 lines
5.2 KiB
Plaintext
218 lines
5.2 KiB
Plaintext
policy_module(rgmanager, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow rgmanager domain to connect to the network using TCP.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(rgmanager_can_network_connect, false)
|
|
|
|
type rgmanager_t;
|
|
type rgmanager_exec_t;
|
|
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
|
|
|
|
type rgmanager_initrc_exec_t;
|
|
init_script_file(rgmanager_initrc_exec_t)
|
|
|
|
type rgmanager_tmp_t;
|
|
files_tmp_file(rgmanager_tmp_t)
|
|
|
|
type rgmanager_tmpfs_t;
|
|
files_tmpfs_file(rgmanager_tmpfs_t)
|
|
|
|
type rgmanager_var_log_t;
|
|
logging_log_file(rgmanager_var_log_t)
|
|
|
|
type rgmanager_var_run_t;
|
|
files_pid_file(rgmanager_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# rgmanager local policy
|
|
#
|
|
|
|
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
|
|
dontaudit rgmanager_t self:capability { sys_ptrace };
|
|
allow rgmanager_t self:process { setsched signal };
|
|
dontaudit rgmanager_t self:process ptrace;
|
|
|
|
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
|
|
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
|
|
allow rgmanager_t self:unix_dgram_socket create_socket_perms;
|
|
allow rgmanager_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
|
|
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
|
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
|
|
|
|
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
|
|
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
|
|
|
|
manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
|
|
|
|
kernel_kill(rgmanager_t)
|
|
kernel_read_kernel_sysctls(rgmanager_t)
|
|
kernel_read_rpc_sysctls(rgmanager_t)
|
|
kernel_read_system_state(rgmanager_t)
|
|
kernel_rw_rpc_sysctls(rgmanager_t)
|
|
kernel_search_debugfs(rgmanager_t)
|
|
kernel_search_network_state(rgmanager_t)
|
|
|
|
corecmd_exec_bin(rgmanager_t)
|
|
corecmd_exec_shell(rgmanager_t)
|
|
consoletype_exec(rgmanager_t)
|
|
|
|
# need to write to /dev/misc/dlm-control
|
|
dev_rw_dlm_control(rgmanager_t)
|
|
dev_setattr_dlm_control(rgmanager_t)
|
|
dev_search_sysfs(rgmanager_t)
|
|
|
|
domain_read_all_domains_state(rgmanager_t)
|
|
domain_getattr_all_domains(rgmanager_t)
|
|
domain_dontaudit_ptrace_all_domains(rgmanager_t)
|
|
|
|
files_create_var_run_dirs(rgmanager_t)
|
|
files_getattr_all_symlinks(rgmanager_t)
|
|
files_list_all(rgmanager_t)
|
|
files_manage_mnt_dirs(rgmanager_t)
|
|
files_manage_mnt_files(rgmanager_t)
|
|
files_manage_mnt_symlinks(rgmanager_t)
|
|
files_manage_isid_type_files(rgmanager_t)
|
|
files_manage_isid_type_dirs(rgmanager_t)
|
|
|
|
fs_getattr_xattr_fs(rgmanager_t)
|
|
fs_getattr_all_fs(rgmanager_t)
|
|
|
|
storage_raw_read_fixed_disk(rgmanager_t)
|
|
storage_getattr_fixed_disk_dev(rgmanager_t)
|
|
|
|
term_getattr_pty_fs(rgmanager_t)
|
|
#term_use_ptmx(rgmanager_t)
|
|
|
|
# needed by resources scripts
|
|
auth_read_all_files_except_shadow(rgmanager_t)
|
|
auth_dontaudit_getattr_shadow(rgmanager_t)
|
|
auth_use_nsswitch(rgmanager_t)
|
|
|
|
logging_send_syslog_msg(rgmanager_t)
|
|
|
|
miscfiles_read_localization(rgmanager_t)
|
|
|
|
mount_domtrans(rgmanager_t)
|
|
|
|
tunable_policy(`rgmanager_can_network_connect',`
|
|
corenet_tcp_connect_all_ports(rgmanager_t)
|
|
')
|
|
|
|
# rgmanager can run resource scripts
|
|
optional_policy(`
|
|
aisexec_stream_connect(rgmanager_t)
|
|
corosync_stream_connect(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_domtrans(rgmanager_t)
|
|
apache_signal(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_domtrans(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rhcs_stream_connect_groupd(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_manage_config(rgmanager_t)
|
|
ccs_stream_connect(rgmanager_t)
|
|
rhcs_stream_connect_gfs_controld(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_domtrans(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ldap_initrc_domtrans(rgmanager_t)
|
|
ldap_domtrans(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_domtrans_mysql_safe(rgmanager_t)
|
|
mysql_stream_connect(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_domtrans(rgmanager_t)
|
|
netutils_domtrans_ping(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_domtrans(rgmanager_t)
|
|
postgresql_signal(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rdisc_exec(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_initrc_domtrans_nfsd(rgmanager_t)
|
|
rpc_initrc_domtrans_rpcd(rgmanager_t)
|
|
|
|
rpc_domtrans_nfsd(rgmanager_t)
|
|
rpc_domtrans_rpcd(rgmanager_t)
|
|
rpc_manage_nfs_state_data(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_initrc_domtrans(rgmanager_t)
|
|
samba_domtrans_smbd(rgmanager_t)
|
|
samba_domtrans_nmbd(rgmanager_t)
|
|
samba_manage_var_files(rgmanager_t)
|
|
samba_rw_config(rgmanager_t)
|
|
samba_signal_smbd(rgmanager_t)
|
|
samba_signal_nmbd(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_domtrans_ifconfig(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_stream_connect(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xen_domtrans_xm(rgmanager_t)
|
|
')
|